The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Saturday, December 29, 2012

Government "loses" sensitive personal information on thousands of Canadians

Over the past week, Human Resources and Skills Development Canada has been notifying approximately 5000 people that their personal information has been lost. According to reports, the information was on a USB device that has been "misplaced". The information includes Social Insurance Number(SIN); surname; primary and, if applicable, secondary medical condition; birthdate; presence of other payers (e.g., workers' compensation); level of education; occupation type; and, Service Canada processing centre.

This is an ENORMOUS screw up by the Government of Canada. Unencrypted personal information should never be put on these devices as they are notoriously easy to lose. I am also surprised that the Privacy Commissioner's office, at least as quoted in the media, has not yet decided whether to do a formal investigation.

A federal government department says there is no evidence that missing personal information about thousands of Canadians has been used for fraudulent purposes.Human Resources and Skills Development Canada says an employee reported on Nov. 16 that a USB key containing personal information, including Social Insurance Numbers, of about 5,000 Canadians was missing.

The department, which handles a variety of files including pensions, old age security, employment insurance and childcare tax credits, says all those affected have been contacted.

A spokesperson said in an email Friday evening that the affected people have been advised of the incident and informed of the steps they can take to help protect their personal information.

HRSDC notified the privacy commissioner's office on Dec. 21 that the data had been lost.

About 60 people have already called an information line at the privacy commissioner's office expressing concern about the incident and complaints have already been filed.
"It's too early to say whether or not these will turn into official, full, investigations," said Anne-Marie Hayden, a spokeswoman for the privacy commissioner.
"We'd have to look at what we receive first and determine next steps from there."
HRSDC said it has seen no evidence that any of the information contained on the missing USB key has been used for fraudulent purposes.

"Nonetheless, we have advised affected individuals to carefully review and verify bank information, credit card information and other financial transaction statements as a means of safeguarding their personal information as a precautionary measure," the email said.

"We are currently analyzing this incident with the view of preventing a similar occurrence in the future," it added.

The commissioner's office is working with HRSDC in an effort to figure out what happened.

Each year, federal departments are required to report on how well they comply with privacy legislation.

In the 2010-2011 report — the most recent one posted on HRSDC's website — the department noted that it had been the subject of three complaints regarding how it handled personal information.

Please note that I am only able to provide legal advice to clients of my firm. If you have a privacy matter, please contact me about becoming a client. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser may not be protected by solicitor-client privilege.

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Due to professional ethics, the author may not be able to comment on matters in which a client has an interest. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.